[BUG] Null Pointer Dereference in XMLDocument::DeleteNode Causes Segmentation Fault

[SergioAtienza]

Hello tinyxml2 Team,

We have been fuzzing tinyxml2 using LibFuzzer with AddressSanitizer (ASan) and have discovered two separate issues that we would like to report. One is a high-severity Denial of Service (DoS) vulnerability, and the other is a suggestion to harden a critical API against misuse that leads to memory corruption.

Summary

A null pointer dereference vulnerability exists in the tinyxml2::XMLDocument::DeleteNode function. Calling this function with a nullptr argument results in a SIGSEGV (Segmentation Fault), causing the application to crash.

While this issue was discovered through fuzzing by intentionally passing a nullptr, it represents a robustness issue that could be triggered by common programming errors in applications using the tinyxml2 library.

Reported by: Sergio Atienza Pastor from the R&D department of MTP (Métodos y Tecnología).

Vulnerability Details

**Vulnerability Type:** Null Pointer Dereference

**CWE:** [CWE-476: NULL Pointer Dereference](https://cwe.mitre.org/data/definitions/476.html)

**Impact:** Denial of Service (DoS). Any application that calls DeleteNode(nullptr) will terminate unexpectedly.

**Affected Function:** tinyxml2::XMLDocument::DeleteNode(XMLNode* node)

**Location:** tinyxml2.cpp, line 2329

Description

The DeleteNode function does not validate if the node argument is null before attempting to dereference it to access its _parent member.
// tinyxml2.cpp:2328

void XMLDocument::DeleteNode( XMLNode* node ) {
    if (node->_parent) { // <-- CRASH: 'node' is dereferenced without a null check.
        node->_parent->DeleteChild( node );
    }
    // ...
}

When node is nullptr, the expression node->_parent triggers a segmentation fault, leading to a crash. A robust API should handle null inputs gracefully, for instance, by treating the call as a no-op.

Proof of Concept (POC)

The following minimal C++ code reliably reproduces the crash.

#include "tinyxml2.h"
#include <iostream>

int main() {
    tinyxml2::XMLDocument doc;

    // Attempting to delete a node using a null pointer.
    // A robust library should handle this call without crashing.
    std::cout << "Calling DeleteNode(nullptr)..." << std::endl;
    
    doc.DeleteNode(nullptr); // This line triggers the SEGFAULT.

    std::cout << "This message will not be printed." << std::endl;

    return 0;
}

Proposed Solution
A simple null check should be added at the beginning of the DeleteNode function to prevent the dereference and make the API more robust.

Suggested Fix in tinyxml2.cpp:

void XMLDocument::DeleteNode( XMLNode* node ) {
    if ( node == nullptr ) {
        return; // Safely exit if the node is null.
    }

    if (node->_parent) {
        node->_parent->DeleteChild( node );
    }
    else {
        // ... rest of the function
    }
}

[0x5066]

this is AI slop, isnt it?

[SergioAtienza]

Hi, thanks for your feedback on the report's format.

My apologies if the wording was unclear. The fundamental issue is a reproducible null pointer dereference in XMLDocument::DeleteNode.
The provided Proof of Concept (POC) is the most straightforward evidence. It's a minimal, standalone C++ program that will trigger the segmentation fault.

Happy to provide any further technical details required.

[FFMG]

You seem to provide a workable solution, why don't you submit a PR for it and see what reviewers say?